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Abstract 


This document defines the use of the ARIA block cipher algorithm 
within the Secure Real-time Transport Protocol (SRTP). It details 
two modes of operation (CTR and GCM) and the SRTP key derivation 
functions for ARIA. Additionally, this document defines DTLS-SRTP 
protection profiles and Multimedia Internet KEYing (MIKEY) parameter 
sets for use with ARIA. 
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1. Introduction 


This document defines the use of the ARIA block cipher algorithm 
[RFC5794] in the Secure Real-time Transport Protocol (SRTP) [RFC3711] 
for providing confidentiality for Real-time Transport Protocol (RTP) 
[RFC3550] traffic and for RTP Control Protocol (RTCP) [RFC3550] 
traffic. 


1.1. ARIA 


ARIA is a general-purpose block cipher algorithm developed by Korean 
cryptographers in 2003. It is an iterated block cipher with 128-, 
192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 
rounds, depending on the key size. It is secure and suitable for 
most software and hardware implementations on 32-bit and 8-bit 
processors. It was established as a Korean standard block cipher 
algorithm in 2004 [ARIAKS] and has been widely used in Korea, 
especially for government-to-public services. It was included in 
Public-Key Cryptography Standards (PKCS) #11 in 2007 [ARIAPKCS]. The 
algorithm specification and object identifiers are described in 
[RFC5794]. 


1.2. Terminology 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 
"OPTIONAL" in this document are to be interpreted as described in BCP 
14 [RFC2119] [RFC8174] when, and only when, they appear in all 
capitals, as shown here. 


2. Cryptographic Transforms 


Block ciphers ARIA and AES share common characteristics including 
mode, key size, and block size. ARIA does not have any restrictions 
for modes of operation that are used with this block cipher. We 
define two modes of running ARIA within SRTP: (1) ARIA in Counter 
Mode (ARIA-CTR) and (2) ARIA in Galois/Counter Mode (ARIA-GCM). 


2.1.  ARIA-CTR 


Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, 
which it refers to as "AES CM". Section 2 of [RFC6188] defines 

"AES 256 CM" in SRTP. ARIA counter modes are defined in the same 
manner except that each invocation of AES is replaced by that of ARIA 
[RFC5794] and are denoted by ARIA 128 CTR and ARIA 256 CTR, 
respectively, according to the key lengths. The plaintext inputs to 
the block cipher are formed as in AES-CTR (AES CM, AES 256 CM) and 
the block cipher outputs are processed as in AES-CTR. Note that, 
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ARIA-CTR MUST be used only in conjunction with an authentication 
transform. 


Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension 
keystream generation. When ARIA-CTR is used, the header extension 
keystream SHALL be generated in the same manner except that each 
invocation of AES is replaced by that of ARIA [RFC5794]. 


2.2. | ARIA-GCM 


Galois/Counter Mode [GCM] [RFC5116] is an Authenticated Encryption 
with Associated Data (AEAD) block cipher mode. A detailed 
description of ARIA-GCM is defined similarly as AES-GCM found in 
[RFC5116] and [RFC5282]. 


[RFC7714] describes the use of AES-GCM with SRTP. The use of ARIA- 
GCM with SRTP is defined the same as AES-GCM except that each 
invocation of AES is replaced by ARIA [RFC5794]. When encryption of 
header extensions [RFC6904] is in use, a separate keystream to 
encrypt selected RTP header extension elements MUST be generated in 
the same manner defined in [RFC7714] except that AES-CTR is replaced 
by ARIA-CTR. 


3. Key Derivation Functions 


Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key 


derivation function, which it refers to as "AES-CM PRF". Section 3 
of [RFC6188] defines the AES-256 counter mode key derivation 
function, which it refers to as "AES 256 CM PRF". The ARIA-CTR 


Pseudorandom Function (PRF) is defined in a same manner except that 
each invocation of AES is replaced by that of ARIA. According to the 
key lengths of the underlying encryption algorithm, ARIA-CTR PRFs are 
denoted by "ARIA 128 CTR PRF" and "ARIA 256 CTR PRF". The usage 
requirements of [RFC6188] and [RFC7714] regarding the AES-CM PRF 
apply to the ARIA-CTR PRF as well. 


4. Protection Profiles 


This section defines SRTP protection profiles that use the ARIA 
transforms and key derivation functions defined in this document. 
The following list indicates the SRTP transform parameters for each 
protection profile. Those are described for use with DTLS-SRTP 
[RFC5764]. 


The parameters cipher key length, cipher salt length, 
auth key length, and auth tag length express the number of bits in 
the values to which they refer. The maximum lifetime parameter 
indicates the maximum number of packets that can be protected with 
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each single set of keys when the parameter profile is in use. All of 


these parameters apply to both RTP and RTCP, unless the RTCP 
parameters are separately specified. 


SRTP ARIA 128 CTR HMAC SHA1 80 


cipher: ARIA 128, CTR 
cipher key length: 128 bits 
cipher salt length: 112 bits 


key derivation function: 


ARIA 128 CTR PRF 


auth function: HMAC-SHAI1 
auth key length: 160 bits 
auth tag length: 80 bits 


maximum lifetime: 


SRTP ARIA 128 CTR HMAC SHA]1 32 


at most 2^31 SRTCP packets and 
at most 2^48 SRTP packets 


cipher: ARIA 128, CTR 
cipher key length: 128 bits 
cipher salt length: 112 bits 


key derivation function: 


ARIA 128 CTR PRF 


auth function: HMAC-SHA1 
auth key length: 160 bits 
SRTP auth tag length: 32 bits 
SRTCP auth tag length: 80 bits 


maximum lifetime: 


SRTP ARIA 256 CTR HMAC SHA]1 80 


Kim, 


et al. 


at most 2^31 SRTCP packets and 
at most 2^48 SRTP packets 


cipher: ARIA 256 CTR 
cipher key length: 256 bits 
cipher salt length: 112 bits 


key derivation function: 


ARIA 256 CTR PRF 


auth function: HMAC-SHA1 
auth key length: 160 bits 
auth tag length: 80 bits 


maximum lifetime: 


at most 2^31 SRTCP packets and 
at most 2^48 SRTP packets 
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SRTP ARIA 256 CTR HMAC SHA1 32 


cipher: 
cipher key length: 
cipher salt length: 


key derivation function: 


ARIA 256 CTR 
256 bits 
112 bits 


ARIA 256 CTR PRF 


auth function: HMAC-SHAI1 
auth key length: 160 bits 
SRTP auth tag length: 32 bits 
SRTCP auth tag length: 80 bits 


maximum lifetime: 


SRTP AEAD ARIA 128 GCM 


at most 2^31 SRTCP packets and 
at most 2^48 SRTP packets 


cipher: ARIA 128. GCM 
cipher key length: 128 bits 
cipher salt length: 96 bits 

aead auth tag length: 128 bits 
auth function: NULL 

auth key length: N/A 

auth tag length: N/A 


key derivation function: 


maximum lifetime: 


SRTP AEAD ARIA 256 GCM 


ARIA 128 CTR PRF 


at most 2^31 SRTCP packets and 
at most 2^48 SRTP packets 


cipher: ARIA 256 GCM 
cipher key length: 256 bits 
cipher salt length: 96 bits 

aead auth tag length: 128 bits 
auth function: NULL 

auth key length: N/A 

auth tag length: N/A 


key derivation function: ARIA 256 CTR PRF 
maximum lifetime: at most 2^31 SRTCP packets and 
at most 2^48 SRTP packets 


The ARIA-CTR protection profiles use the same authentication 
transform that is mandatory to implement in SRTP: HMAC-SHA1 with a 
160-bit key. 


Note that SRTP protection profiles that use AEAD algorithms do not 
Specify an auth function, auth key length, or auth tag length, since 
they do not use a separate auth function, auth key, or auth tag. The 
term aead auth tag length is used to emphasize that this refers to 
the authentication tag provided by the AEAD algorithm and that this 
tag is not located in the authentication tag field provided by SRTP/ 
SRTCP. 
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The PRFs for ARIA protection profiles are defined by ARIA-CTR PRF of 
the equal key length with the encryption algorithm (see Section 2). 
SRTP ARIA 128. CTR HMAC and SRTP AEAD ARIA 128, GCM MUST use the 
ARIA 128 CTR PRF key derivation function. And SRTP ARIA 256 CTR HMAC 
and SRTP AEAD ARIA 256 GCM MUST use the ARIA 256 CTR PRF key 
derivation function. 


MIKEY specifies the SRTP protection profile definition separately 
from the key length (which is specified by the session encryption key 
length) and the authentication tag length. The DTLS-SRTP [RFC5764] 
protection profiles are mapped to MIKEY parameter sets as shown 


below. 
4-------------------------------------- + 
| Encryption | Encryption | Auth. | 
| Algorithm | Key Length | Tag Length | 
+ + 
SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets 
SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets | 
SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets 
SRTP_ARIA_256_CTR_HMAC_32 | ARIA-CTR | 32 octets | 4 octets | 
+ + 


Figure 1: Mapping MIKEY Parameters to ARIA-CTR with the HMAC 


Algorithm 
4-------------------------------------- + 
Encryption Encryption AEAD Auth. 
Algorithm Key Length Tag Length 
+ + 
SRTP AEAD ARIA 128 GCM | ARIA-GCM | 16 octets | 16 octets | 
SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets | 
+ + 


Figure 2: Mapping MIKEY Parameters to the ARIA-GCM Algorithm 
5. Security Considerations 


At the time of publication of this document, no security problem has 
been found on ARIA. Previous security analysis results are 
summarized in [ATY]. 


The security considerations in [GCM], [RFC3711], [RFC5116], 
[RFC6188], [RFC6904], and [RFC7714] apply to this document as well. 
This document includes crypto suites with authentication tags of a 
length less than 80 bits. These suites MAY be used for certain 
application contexts where longer authentication tags may be 
undesirable, for example, those mentioned in [RFC3711], Section 7.5. 
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6. 


6. 


Otherwise, short authentication tags SHOULD NOT be used, since they 
may reduce authentication strength. See [RFC3711], Section 9.5 for a 
discussion of risks related to weak authentication in SRTP. 


At the time of publication of this document, SRTP recommends HMAC- 
SHA1 as the default and mandatory-to-implement MAC algorithm. All 
currently registered SRTP crypto suites except the GCM-based ones use 
HMAC-SHA1 as their HMAC algorithm to provide message authentication. 
Due to security concerns with SHA-1 [RFC6194], the IETF is gradually 
moving away from SHA-1 and towards stronger hash algorithms such as 
SHA-2 or SHA-3 families. For SRTP, however, SHA-1 is only used in 
the calculation of an HMAC, and no security issue is known for this 
usage at the time of this publication. 


IANA Considerations 
1 DTLS-SRTP 


DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP protection profile". 
In order to allow the use of the algorithms defined in this document 
in DTLS-SRTP, IANA has added the following protection profiles below 
to the "DTLS-SRTP Protection Profiles" registry (see 
«http://www.iana.org/assignments/srtp-protection/») created by 
[RFC5764]: 


SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {0x00, Ox0B} 
SRTP_ARIA_128_CTR_HMAC_SHA1_ 32 (0x00, 0x0C} 
SRTP_ARIA_256_CTR_HMAC_SHA1_ 80 (0x00, OxOD)] 
SRTP ARIA 256 CTR HMAC SHA1 32 (0x00, OxOE) 
SRTP AEAD ARIA 128 GCM = (0x00, Ox0F} 
SRTP AEAD ARIA 256 GCM (0x00, 0x10} 


-2. MIKEY 


[RFC3830] and [RFC5748] define encryption algorithms and PRFs for the 
SRTP policy in MIKEY. In order to allow the use of the algorithms 
defined in this document in MIKEY, IANA has updated the "Multimedia 
Internet KEYing (MIKEY) Payload Name Spaces" registry (see 
«http://www.iana.org/assignments/mikey-payloads/».) 
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IANA has registered the following two encryption algorithms in the 
"Encryption algorithm (Value 0)" subregistry within the "MIKEY 
Security Protocol Parameters" registry: 


4R--------------- 4+------- + 
| SRTP encr alg | Value | 
4--------------- 4+------- + 
| ARIA-CTR | E | 
| ARIA-GCM | 8 | 
4+--------------- 4+------- + 


The default session encryption key length is 16 octets. 


IANA has registered the following PRF in the "SRTP Pseudo Random 
Function (Value 5)" subregistry within the "MIKEY Security Protocol 
Parameters" registry: 


4+---------- +------- + 
| SRTP PRF | Value | 
4+---------- +------- + 
| ARIA-CTR | 2 | 
4+---------- +------- + 
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Appendix A. Test Vectors 


All values are in hexadecimal and represented by the network order 
(called big endian). 


A.1. 


ARIA-CTR Test Vectors 


Common values are organized as follows: 


Kim, 


Rollover Counter: 00000000 

Sequence Number: 315e 

SSRC: 20e8f5eb 

Authentication Key: £935633115354748c978913795530631 
16452309 

Session Salt: cd3a7c42c671e0067a2a2639b43a 

Initialization Vector: cd3a7c42e69915ed7a2a263985640000 

RTP Header: 8008315ebf2e6fe020e8f5eb 

RTP Payload: f57af5fd4ael9562976ec57a5a7ad55a 


5af5c5e5cb5fdf5c55ad57a4a72724d572 
62e9729566ed66e97ac54a4a5a7adb5e1 
Sae5fddd5fd5ac5d56ae56ad5c572d54a 
e54ac55a956afd6aed5a4ac562957a95 
16991691d572£d14e97ae962ed7a9f4a 
955af572e162f£57a956666e17aelf54a 
95f566d54a66el16e4afd6a9f7aelc5c5 
5ae5d56afde916c5e94a6ec56695el14a 
fdel1148416e94ad57ac5146ed59d1cc5 


Note: 
SSRC = Synchronization Source 


SRTP ARIA 128 CTR HMAC SHA1 80 


Session Key: Ocbffd37alledc42c325287f£c0604f2e 


Encrypted RTP Payload: 1bf753f£412e6£35058cc398dc851aae3 
a6ccdcb463fbed9cfb3de2fb76fdffa9 
e481f5befb64c92487f£59dabbc7cc72da 
092485f3fbad87888820b86037311fa4 
4330e18a59a1e1338ba2c21458493a57 
463475c54691f£91cec785429119e0dfc 
d9048£90e07£ecd50b528e8c62ee6e71 
445de5d7£659405135aff3604c2ca4ff 
4aaca40809cb9eee42cc4ad232307570 
81ca289£2851d3315e9568Db501fdce6d 
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Authenticated Portion || Rollover Counter: 
8008315ebf2e6fe020e8f5eblbf753f4 
12e6£35058cc398dc851aae3a6ccdcb4 
63fbed9cfb3de2fb76fdffa9e481f5ef 
b64c92487£59dabbc7cc72da092485£3 
fbad87888820b86037311fa44330e18a 
59a1e1338ba2c21458493a57463475c5 
4691f91cec785429119e0dfcd9048£90 
e07fecd505528e8c62ee6e71445de5d7 
£659405135aff3604c2ca4ff4aaca408 
09cb9eee42cc4ad23230757081ca289£f 
2851d3315e9568b501fdce6d00000000 


Authentication Tag: £9de4e729054672b0e35 


A.1.2. SRTP_ARIA_256_CTR_HMAC_SHA1_80 


Session Key: Oc5ffd37alledc42c325287fc0604f2e 
3e8cd5671a00feE3216aa5eb105783b54 


Encrypted RIP Payload: c424c59fd5696305e5b13d8e8ca7 6566 
17ccd7471088af9debf07555c750f£804 
a5ac2b737be48140958a9b420524112a 
e72e4da5bca59d2b1019ddd7dbdc30b4 
3d5f046152ced40947d62d2c93e7b8e5 
O0f02db2b6b615b010e4c1566884delfa9 
702cdf8157e8aedfe3dd77c765bb50c25 
ae4d624615c15acfdeeb5f79482aaa01 
d3e4c05eb601eca2bd10518e9d460021 
16359232e9eac0fabd05235dd09e6dea 


Authenticated Portion || Rollover Counter: 
8008315ebf2e6fe020e8f5ebc424c59f 
d5696305e55p13d8e8ca7656617ccd747 
1088af9debf075055c750£804a5ac2b73 
7be48140958a9b420524112ae72e4da5 
bca59d2b1019ddd7dbdc30b43d5f0461 
52ced40947d62d2c93e7b8e50£02db2b 
6b61b010e4c1566884delfa9702cdf81 
57e8aedfe3dd77c76bb50c25ae4d6246 
15c15acfdeeb5f79482aaa01d3e4c05e 
b601eca2bd10518e9d46b02116359232 
e9eacOfabd05235dd09e6dea00000000 


Authentication Tag: 192f£515fab04bbb4e62c 
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A.2.  ARIA-GCM Test Vectors 


Common values are organized as follows: 


Rollover Counter: 00000000 

Sequence Number: 315e 

SSRC: 20e8f5eb 

Encryption Salt: 000000000000000000000000 
Initialization Vector: 000020e8£5ep00000000315e 

RTP Payload: f57af5fd4ael19562976ec57ab5a7ad55a 


5af5c5e5cb5fdf5c55ad57a4a72724d572 
62e9729566ed66e97ac54a4a5a7adb5e1 
Sae5fdd5fdd5ac5d56ae56ad5c572d54a 
e54ac55a956afd6aed5a4ac562957a95 
16991691d572£d14e97ae962ed7a9f4a 
955af572e162f£57a956666e17aelf54a 
95f566d54a66el6e4afd6a9f7aelc5c5 
5ae5d56afde916c5e94a6ec56695el14a 
fdell48416e94ad57ac5146ed59d1cc5 
Associated Data: 8008315ebf2e6fe020e8f5eb 


The encrypted RTP payload is longer than the RTP payload by exactly 
the GCM authentication tag length (16 octets). 


A.2.1.  SRTP AEAD ARIA 128 GCM 


Key: e91e5e75da65554a48181£3846349562 


Encrypted RTP Payload: 4d8a9a0675550c704b17d8c9ddc81la5Sc 
d6f7da34f2felb3db7cb3dfb9697102e 
a0f3clfc2dbc873d44bceeae8e444297 
4ba21ff6789d3272613f£509631a7cf£3f1 
4bacbeb421633a90ffbe58c2fa6bdca5 
34£10d0de0502ce1d531b6336e588782 
78531e5c22bc6c85bbd784d478d9e680a 
a19031aaf89101d669d7a3965c1f7e16 
229d7463e0535f4e253f5d18187d40b8 
ae0f564bd970b5e7e2adfb211e89a953 
5abace3f37f5a736f£f4be984bbffbedcl 
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A.2.2.  SRTP AEAD ARIA 256 GCM 


Key: Oc5bffd37alledc42c325287f£c0604f2e 
3e8cd5671a00£fe3216aa5eb105783b54 


Encrypted RTP Payload: 6£9e4bcbc8c85£c0128fb1e4a0a20cb9 
932f£74581f54fc013dd054b19f99371 
425b352d97d3£337b90b63d1b082adee 
e€a9d2d7391897d591b985e55fb50cb53 
50c£7d38dc27ddal27c078al49c8eb98 
083d66363a46e3726af217d3a00275ad 
5pf772c7610ea4c23006878£0ee69a83 
97703169a419303£40b72e4573714d19 
e2697df61e7c7252e5abc6bade876ac4 
961bfac4d5e867afca351a48aed52822 
e210d6ced2cf430ff841472915e7ef£f48 


A.3. Key Derivation Test Vectors 


This section provides test vectors for the default key derivation 
function that uses ARIA in Counter Mode. In the following, we walk 
through the initial key derivation for the ARIA Counter Mode cipher 
that requires a session encryption key of 16/24/32 octets according 
to the session encryption key length, a 14-octet session salt, and an 
authentication function that requires a 94-octet session 
authentication key. These values are called the cipher key, the 
cipher salt, and the auth key in the following. The test vectors are 
generated in the same way with the test vectors of key derivation 
functions in [RFC3711] and [RFC6188] but with each invocation of AES 
replaced with an invocation of ARIA. 


A.3.1. ARIA 128 CTR PRF 


The inputs to the key derivation function are the 16-octet master key 
and the 14-octet master salt: 


master key:  el1f97a0d3e018be0d64fa32c06de4139 
master salt: 0ec675ad498afeebb6960b3aabe6 


index DIV kdr: 000000000000 

label: 00 

master salt: 0ec675ad498afeebb6960b3aabe6 

XOr: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 
x*2^1L6* 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 
cipher key: dbd85a3c4d9219b3e81f£7d942e299de4 (ARIA-CTR output) 
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ARIA-CTR protection profile requires a 14-octet cipher salt while 
ARIA-GCM protection profile requires a 12-octet cipher salt. 


index DIV kdr: 


label: 
master salt: 


x*2^16: 


cipher salt: 


index DIV kdr: 


label: 
master salt: 


x*2^16: 


Below, 


the auth key is shown on the left, 


000000000000 
02 
0ec675ad498afeebb6960b3aabe6 


0ec675ad498afee9b6960b3aabe6 


0ec675ad498afee9b6960b3aabe60000 


9700657£5£34161830d7d85f5dc8be7F£ 


9700657£5£34161830d7d85f5dc8 
9700657£5£34161830d7d85f 
000000000000 
01 
0ec675ad498afeebb6960b3aabe6 


0ec675ad498afeeab6960b3aabe6 


0ec675ad498afeeab6960b3aabe60000 


ARIA input blocks are shown on the right. 


auth key 


(x, PRF input) 
(ARIA-CTR input) 
(ARIA-CTR output) 


(ARIA-CTR profile) 
(ARIA-GCM profile) 


(x, PRF input) 


(ARIA-CTR input) 


while the corresponding 


ARIA input blocks 


d021877bd3eaf92d581ed70ddc050e03 
f11257032676f£2a29f£57021abd3a1423 
769749bdc5dd9ca5b43ca6b6c1f3a7de 
4047904bcf811f£601cc03eaa5d7af6db 
9f88efa2e51ca832fc2a15b126fa7be2 
469af896acb1852c31d822c45799 
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0ec675ad498afeeab6960b3aabe60000 
0ec675ad498afeeab6960b3aabe60001 
0ec675ad498afeeab6960b3aabe60002 
0ec675ad498afeeab6960b3aabe60003 
0ec675ad498afeeab6960b3aabe60004 
0ec675ad498afeeab6960b3aabe60005 
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The inputs to the key derivation function are the 32-octet master key 


and the 14-octet master salt: 


master key:  Ocb5ffd37alledc42c325287f£c0604f2e 
3e8cd5671a00fe3216aa5eb105783b54 
master salt: 0ec675ad498afeebb6960b3aabe6 


index DIV kdr: 000000000000 
label: 00 
master salt: 0ec675ad498afeebb6960b3aabe6 


xor: 0ec675ad498afeebb6960b3aabe6 
x*2^16: 0ec675ad498afeebb6960b3aabe60000 


cipher key: 0649a09d93755fe9c2b2efbalcce930a 
f2e76ce8b77e4b175950321aa94b0cf4 


ARIA-CTR protection profile requires a 14-octet 
ARIA-GCM protection profile requires a 12-octet 


index DIV kdr: 000000000000 
label: 02 
master salt:  0ec675ad498afeebb6960b3aabe6 


xor: 0ec675ad498afee9b6960b3aabe6 
x*2^16: 0ec675ad498afee9b6960b3aabe60000 


194abaa8553a8eba8a413a340fc80a3d 


cipher salt:  194abaa8553a8eba8a413a340fc8 
194abaa8553a8eba8a413a34 


index DIV kdr: 000000000000 
label: 01 
master salt:  0ec675ad498afeebb6960b3aabe6 


xor: 0ec675ad498afeeab6960b3aabe6 


x*2^16: 0ec675ad498afeeab6960b3aabe60000 
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(x, PRF input) 
(ARIA-CTR input) 


(ARIA-CTR 1st output) 
(ARIA-CTR 2nd output) 


cipher salt while 
cipher salt. 


(x, PRF input) 
(ARIA-CTR input) 
(ARIA-CTR output) 


(ARIA-CTR profile) 
(ARIA-GCM profile) 


(x, PRF input) 


(ARIA-CTR input) 
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while the corresponding 


ARIA input blocks are shown on the right. 


Kim, 


auth key 


€58d42915873b71899234807334658f2 
0bc460181d06e02b7a9e60f02ff10bfc 
9ade3795cf78£3e0£2556d9d913470c4 
e82e45d254bf08e2933851a3930ffe7d 
fca751c03ec1e77e35e28dac4f17d1a5 
80bdac028766d3b1e8f5a41faa3c 


et al. 
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ARIA input blocks 


0ec675ad498afeeab6960b3aabe60000 
0ec675ad498afeeab6960b3aabe60001 
0ec675ad498afeeab69605b3aabe60002 
0ec675ad498afeeab6960b3aabe60003 
0ec675ad498afeeab6960b3aabe60004 
0ec675ad498afeeab6960b3aabe60005 


[Page 18] 


RFC 8269 ARIA Algorithm for SRTP October 2017 


Authors' Addresses 


Woo-Hwan Kim 

National Security Research Institute 
P.O. Box 1, Yuseong 

Daejeon 34188 

Korea 


Email: whkim5@nsr.re.kr 


Jungkeun Lee 

National Security Research Institute 
P.O. Box 1, Yuseong 

Daejeon 34188 

Korea 


Email: jklee@nsr.re.kr 


Je-Hong Park 

National Security Research Institute 
P.O. Box 1, Yuseong 

Daejeon 34188 

Korea 


Email: jhpark@nsr.re.kr 


Daesung Kwon 

National Security Research Institute 
P.O. Box 1, Yuseong 

Daejeon 34188 

Korea 


Email: ds_kwon@nsr.re.kr 
Dong-Chan Kim 

Kookmin University 

77 Jeongneung-ro, Seongbuk-gu 
Seoul 02707 


Korea 


Email: dckim@kookmin.ac.kr 


Kim, et al. Informational [Page 19] 


